Yesterday on the DreamHost Status Blog, it was announced that all shell/FTP passwords would be reset due to what looks to be a security breach that was discovered on one of the DreamHost database servers.DreamHost looks to have done a great job notifying affected customers via the update page, keeping them up-to-date throught out the day until the issue was resolved. It looks like all FTP passwords were indeed reset.
We recommend that all DreamHost customers log into to their accounts and check their account status. It is encouraged that you change your account passwords, and it wouldn’t hurt to change your FTP and database passwords again just to make sure.
If you read through the comments on the blog post listed above, you will see quite a few complaints about infected sites across DreamHost servers over the last few months. As of now, these infection issues do not look to be related to yesterdays security incident.
One user on the DreamHost Status Blog attributes the malware issues to the DreamHost one-click install wizard, we have not confirmed this:
Apparently, the breach occured in November via the
one-click install wizard offered by Dreamhost: One click and your whole
Wordpress / Drupal web site is installed, ready to use, automatically updated
by the wizard. Apparently, it’s the wizard itself that was compromised and
anybody who used it was affected.
We have cleaned quite a few of these websites, and most of them were infected through outdated software installed by the customer. The important note to take here is it’s crucially important to ensure you’re keeping your sites updated. Remember, security is everyone’s responsibility. If you’re running a website you have a responsibility to your readership, customers, and the online world in general.
Updated (January 21st, 2011 – 14:22 PST) DreamHost CEO released a Security Update blog post on the official DreamHost blog.
Simon Anderson, DreamHost CEO, says,
“our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more legacy unencrypted passwords in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though).”
Sucuri is unclear of the impact from the breached passwords at this time, but we’ll update as we get more information about the incident.
If you’re interested in learning about your website security health, run a free scan with Sucuri SiteCheck, hopefully you’re green across the board.